org.apache.shiro.subject.SubjectContext Java Examples

The following examples show how to use org.apache.shiro.subject.SubjectContext. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: CasSubjectFactory.java    From shiro-cas-spring-boot-starter with Apache License 2.0 6 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {

    //the authenticated flag is only set by the SecurityManager after a successful authentication attempt.
    boolean authenticated = context.isAuthenticated();

    //although the SecurityManager 'sees' the submission as a successful authentication, in reality, the
    //login might have been just a CAS rememberMe login.  If so, set the authenticated flag appropriately:
    if (authenticated) {

        AuthenticationToken token = context.getAuthenticationToken();

        if (token != null && token instanceof CasToken) {
            CasToken casToken = (CasToken) token;
            // set the authenticated flag of the context to true only if the CAS subject is not in a remember me mode
            if (casToken.isRememberMe()) {
                context.setAuthenticated(false);
            }
        }
    }

    return super.createSubject(context);
}
Example #2
Source File: AccountSubjectFactory.java    From mblog with GNU General Public License v3.0 6 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {
    if (!(context instanceof WebSubjectContext)) {
        return super.createSubject(context);
    } else {
        WebSubjectContext wsc = (WebSubjectContext)context;
        SecurityManager securityManager = wsc.resolveSecurityManager();
        Session session = wsc.resolveSession();
        boolean sessionEnabled = wsc.isSessionCreationEnabled();
        PrincipalCollection principals = wsc.resolvePrincipals();
        boolean authenticated = wsc.resolveAuthenticated();
        String host = wsc.resolveHost();
        ServletRequest request = wsc.resolveServletRequest();
        ServletResponse response = wsc.resolveServletResponse();

        Subject subject =  new WebDelegatingSubject(principals, authenticated, host, session, sessionEnabled, request, response, securityManager);
        handlerSession(subject);
        return subject;
    }
}
Example #3
Source File: JwtSubjectFactory.java    From jboot-admin with Apache License 2.0 5 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {
    if (context.getAuthenticationToken() instanceof JwtAuthenticationToken) {
        // jwt 不创建 session
        context.setSessionCreationEnabled(false);
    }

    return super.createSubject(context);
}
Example #4
Source File: SecurityGuiceConfigurer.java    From seed with Mozilla Public License 2.0 5 votes vote down vote up 
public void configure(Binder binder) {
    // Subject
    SecurityConfig.SubjectConfig subjectConfig = securityConfig.subject();
    Optional.ofNullable(subjectConfig.getContext()).ifPresent(c -> binder.bind(SubjectContext.class).to(c));
    Optional.ofNullable(subjectConfig.getFactory()).ifPresent(f -> binder.bind(SubjectFactory.class).to(f));
    Class<? extends SubjectDAO> subjectDao = subjectConfig.getDao();
    binder.bind(SubjectDAO.class).to(subjectDao != null ? subjectDao : DefaultSubjectDAO.class);

    // Authentication
    SecurityConfig.AuthenticationConfig authenticationConfig = securityConfig.authentication();
    binder.bind(Authenticator.class).to(authenticationConfig.getAuthenticator());
    binder.bind(AuthenticationStrategy.class).to(authenticationConfig.getStrategy());
    binder.bind(CredentialsMatcher.class).to(authenticationConfig.getCredentialsMatcher());

    // Cache configuration
    SecurityConfig.CacheConfig cacheConfig = securityConfig.cache();
    binder.bind(CacheManager.class).to(cacheConfig.getManager());

    // Sessions
    SecurityConfig.SessionConfig sessionConfig = securityConfig.sessions();
    binder.bind(SessionStorageEvaluator.class).to(sessionConfig.getStorageEvaluator());
    Optional.ofNullable(sessionConfig.getValidationScheduler())
            .ifPresent(s -> binder.bind(SessionValidationScheduler.class).to(s));
    binder.bindConstant()
            .annotatedWith(Names.named("shiro.sessionValidationInterval"))
            .to(sessionConfig.getValidationInterval() * 1000);
    binder.bindConstant()
            .annotatedWith(Names.named("shiro.globalSessionTimeout"))
            .to(sessionConfig.getTimeout() * 1000);
}
Example #5
Source File: ApiKeySecurityManager.java    From emodb with Apache License 2.0 5 votes vote down vote up 
/**
 * Required to by-pass a Shiro issue caused by not binding the SecurityManager globally.
 */
@Override
protected SubjectContext createSubjectContext() {
    SubjectContext subjectContext = super.createSubjectContext();
    subjectContext.setSecurityManager(this);
    return subjectContext;
}
Example #6
Source File: StatelessSubjectFactory.java    From shiro-spring-boot-starter with Apache License 2.0 5 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {
    // 不创建session
    context.setSessionCreationEnabled(false);

    return super.createSubject(context);
}
Example #7
Source File: JsetsSubjectFactory.java    From jsets-shiro-spring-boot-starter with Apache License 2.0 5 votes vote down vote up 
public Subject createSubject(SubjectContext context) { 
	this.storageEvaluator.setSessionStorageEnabled(Boolean.TRUE);
	AuthenticationToken token = context.getAuthenticationToken();
	if(CommonUtils.isStatelessToken(token)){
        // 不创建 session 
        context.setSessionCreationEnabled(false);
        // 不持久化session
        this.storageEvaluator.setSessionStorageEnabled(Boolean.FALSE);
	}
    return super.createSubject(context); 
}
Example #8
Source File: IamSubjectFactory.java    From super-cloudops with Apache License 2.0 5 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {
	// the authenticated flag is only set by the SecurityManager after a
	// successful authentication attempt.
	//
	// although the SecurityManager 'sees' the submission as a successful
	// authentication, in reality, the
	// login might have been just a CAS rememberMe login. If so, set the
	// authenticated flag appropriately:
	AuthenticationToken token = context.getAuthenticationToken();
	if (!isNull(token) && token instanceof RememberMeAuthenticationToken) {
		RememberMeAuthenticationToken tk = (RememberMeAuthenticationToken) token;
		// set the authenticated flag of the context to true only if the
		// CAS subject is not in a remember me mode
		if (tk.isRememberMe()) {
			context.setAuthenticated(false);
		}
	}

	// Validation of enhanced session additional signature.
	if (isAssertRequestAccessTokens(context)) {
		try {
			assertRequestAccessTokenValidity(context);
		} catch (UnauthenticatedException e) {
			// #Forced sets notauthenticated
			context.setAuthenticated(false);
			context.getSession().setAttribute(AUTHENTICATED_SESSION_KEY, false);
			if (log.isDebugEnabled())
				log.debug("Invalid accesstoken", e);
			else
				log.warn("Invalid accesstoken. - {}", e.getMessage());
		}
	}

	return super.createSubject(context);
}
Example #9
Source File: JwtDefaultSubjectFactory.java    From zhcc-server with Apache License 2.0 5 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {
    // 不创建session
    context.setSessionCreationEnabled(false);
    Subject subject = super.createSubject(context);
    return subject;
}
Example #10
Source File: StatelessDefaultSubjectFactory.java    From parker with MIT License 5 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {

    // 不创建session.
    context.setSessionCreationEnabled(false);
    return super.createSubject(context);

}
Example #11
Source File: IamSubjectFactory.java    From super-cloudops with Apache License 2.0 4 votes vote down vote up 
/**
 * Assertion request accessToken(signature) validity.
 * 
 * @param context
 * @throws UnauthenticatedException
 * @see {@link AbstractIamAuthenticationFilter#makeLoggedResponse}
 */
private final void assertRequestAccessTokenValidity(SubjectContext context) throws UnauthenticatedException {
	// Additional signature verification will only be performed on those
	// who have logged in successful.
	// e.g: Authentication requests or internal API requests does not
	// require signature verification.
	if (context.isAuthenticated() || isNull(context.getSession()))
		return;

	WebSubjectContext wsc = (WebSubjectContext) context;
	Session session = wsc.getSession();
	HttpServletRequest request = toHttp(wsc.resolveServletRequest());

	// Gets protocol configure info.
	String sessionId = valueOf(session.getId());
	String accessTokenSignKey = (String) session.getAttribute(KEY_ACCESSTOKEN_SIGN_NAME);
	IamAuthenticationToken authcToken = (IamAuthenticationToken) session.getAttribute(KEY_AUTHC_TOKEN);

	// Gets request accessToken.
	final String accessToken = getRequestAccessToken(request);
	log.debug("Asserting accessToken, sessionId:{}, accessTokenSignKey: {}, authcToken: {}, accessToken: {}", sessionId,
			accessTokenSignKey, authcToken, accessToken);

	// Only the account-password authentication is verified.
	// if (authcToken instanceof ClientSecretIamAuthenticationToken) {
	hasText(accessToken, UnauthenticatedException.class, "accessToken is required");
	hasText(sessionId, UnauthenticatedException.class, "sessionId is required");
	hasText(accessTokenSignKey, UnauthenticatedException.class, "No accessTokenSignKey"); // Shouldn't-here

	// Calculating accessToken(signature).
	final String validAccessToken = generateAccessToken(session, accessTokenSignKey);
	log.debug(
			"Asserted accessToken of sessionId: {}, accessTokenSignKey: {}, validAccessToken: {}, accessToken: {}, authcToken: {}",
			sessionId, accessTokenSignKey, validAccessToken, accessToken, authcToken);

	// Compare accessToken(signature)
	if (!accessToken.equals(validAccessToken)) {
		throw new InvalidAccessTokenAuthenticationException(
				format("Illegal authentication accessToken: %s, accessTokenSignKey: %s", accessToken, accessTokenSignKey));
	}
	// }

}
Example #12
Source File: AgileSubjectFactory.java    From watchdog-framework with MIT License 4 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {
    context.setSessionCreationEnabled(false);
    return super.createSubject(context);
}
Example #13
Source File: JwtSubjectFactory.java    From wetech-admin with MIT License 4 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {
    //不创建session
    context.setSessionCreationEnabled(false);
    return super.createSubject(context);
}
Example #14
Source File: SecurityConfig.java    From seed with Mozilla Public License 2.0 4 votes vote down vote up 
public Class<? extends SubjectContext> getContext() {
    return context;
}
Example #15
Source File: SecurityConfig.java    From seed with Mozilla Public License 2.0 4 votes vote down vote up 
public SubjectConfig setContext(Class<? extends SubjectContext> context) {
    this.context = context;
    return this;
}
Example #16
Source File: StatelessWebSubjectFactory.java    From bootshiro with MIT License 4 votes vote down vote up 
@Override
public Subject createSubject(SubjectContext context) {
    // 这里都不创建session
    context.setSessionCreationEnabled(Boolean.FALSE);
    return super.createSubject(context);
}
Example #17
Source File: IamSubjectFactory.java    From super-cloudops with Apache License 2.0 2 votes vote down vote up 
/**
 * Is assertion request accessTokens validity.
 * 
 * @param context
 * @return
 */
protected boolean isAssertRequestAccessTokens(SubjectContext context) {
	HttpServletRequest request = toHttp(((WebSubjectContext) context).resolveServletRequest());
	return config.getSession().isEnableAccessTokenValidity() && !isMediaRequest(request)
			&& !isInternalProtocolNonAccessTokenRequest(request);
}